Solved

active directory - allow users to login to OWA and Sharepoint site only, not interactive on desktop PC

Posted on 2014-12-09
3
611 Views
Last Modified: 2014-12-10
Hi there
So we have a requirement to allow certain users to login to their email via OWA and to a Sharepoint site but they should not be permitted to logon to the network in the office on a PC and therefore no access to shared drives etc.
Is there a way to do this in group policy or another way?
many thanks
0
Comment
Question by:stack888
3 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40491476
Have you tried setting their "Log on to" in the AD user properties?  I'm not sure that works, though, I seem to recall in the past admins having a problem with this method.  Another possibility would be to create a special global group with restricted rights and then give that group only the necessary rights to log on to the Sharepoint and OWA sites. For Sharepoint, they would also need the necessary NTFS permissions to access any documents or other services and/or storage areas on your network to use the data that is being served through the Sharepoint site.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40492032
Log on to tab in AD will definitely work

You need to create any fake computer account in AD and you need to edit properties of all required users and add this computer account, so that they can't logon to any other computers locally
In addition to above you need to restrict them on Remote Desktop services profile tab as well
U need to select check box "deny this user to logon to remote desktop session host server

Lastly, the below solution should work \ will work 100%
1st create one security group and add all required users to that group
At domain level create new group policy and in that policy enable deny logon locally and deny logon thru terminal services user rights setting and add above group there
These users will not be able to logon to any servers \ desktops trough RDP \ locally

Test any of above solution prior to deploy full flesh

Mahesh
0
 
LVL 2

Author Closing Comment

by:stack888
ID: 40492361
Mahesh, i ended up using pretty much your solution.
thanks!

This is what i did:

Create a group "Users Denied Interactive Logon", and make the relevant users a member.
Create a Group Policy Object (GPO) linked at the root of the domain called "Deny Interactive Logon"
In the "User Rights Assignment" subnode of the "Local Policies" subnode of the "Security Settings" subnode of the "Windows Settings" subnode of the "Computer Configuration" node I would add "Deny log on locally" permission for "Users Denied Interactive Logon" group.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now